Ensure that your RDS database instances are encrypted to fulfill compliance requirements for data-at-rest encryption. The RDS data encryption and decryption is handled transparently and does not require any additional action from you or your application.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When dealing with production databases that hold sensitive and critical data, it is highly recommended to implement encryption in order to protect your data from unauthorized access. With RDS encryption enabled, the data stored on the instance underlying storage, the automated backups, Read Replicas, and snapshots, become all encrypted. The RDS encryption keys implement AES-256 algorithm and are entirely managed and protected by the AWS key management infrastructure through AWS Key Management Service (AWS KMS).
Note: AWS RDS encryption is not available for all database instance types. The instance types that are currently supporting encryption are: db.t2.large, db.m3.medium to db.m3.2xlarge, db.m4.large to db.m4.10xlarge, db.r3.large to db.r3.8xlarge and db.cr1.8xlarge.
To determine if your RDS database instances are encrypted, perform the following:
To enable data encryption for your existing RDS instances you need to re-create (back up and restore) them with encryption flag enabled, by performing the following steps: